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Abstract 

We present six multiparty protocols with information-theoretic security that tolerate an arbi- 
trary number of corrupt participants. All protocols assume pairwise authentic private channels 
and a broadcast channel (in a single case, we require a simultaneous broadcast channel). We 
give protocols for veto, vote, anonymous bit transmission, collision detection, notification and 
anonymous message transmission. Not assuming an honest majority, in most cases, a single 
corrupt participant can make the protocol abort. All protocols achieve functionality never ob- 
tained before without the use of either computational assumptions or of an honest majority. 
Keywords: multiparty computation, anonymous message transmission, election protocols, col- 
lision detection, dining cryptographers, information-theoretic security. 

1 Introduction 

In the most general case, multiparty secure computation enables re participants to collaborate to 
compute an n-input, n-output function (one per participant). Each participant only learns his 
private output which, depending on the function, can be the same for each participant. Assuming 
that private random keys are shared between each pair of participants, we known that every function 
can be securely computed in the presence of an active adversary if and only if less than re/3 
participants are corrupt; this fundamental result is due to Michael Ben-Or, Shah Goldwasser and 
Avi Wigderson [BGW88] and David Chaum, Claude Crepeau and Ivan Damgard [CCD88| . When 
a broadcast channel is available, the results of Tal Rabin and Michael Ben-Or [RB89] tell us that 
this proportion can be improved to re/2. 

Here, we present six specific multiparty computation protocols that achieve correctness and 
privacy without any assumption on the number of corrupt participants. Naturally, we cannot 
always achieve the ideal functionality, for example in some cases, a single participant can make the 
protocol abort. This is the price to pay to tolerate an arbitrary number of corrupt participants and 
still provide information-theoretic privacy of the inputs. 

All protocols we propose have polynomial complexity in the number of participants and the 
security parameter. We always assume pairwise shared private random keys between each pair 
of participants, which allows pairwise private authentic channels. We also assume a broadcast 
channel and, even though it is a strong assumption, in some cases we need the broadcast to be 
simultaneous [CGMA851 IHMOK] . 



1.1 Summary of results 

Our main contributions are in the areas of elections (vote) and anonymity (anonymous bit trans- 
mission and anonymous message transmission). Each protocol is an astute combination of basic 
protocols, which are also of independent interest, and that implement parity, veto, collision detec- 
tion and notification. 

The main ingredient for our information-theoretically secure protocols is the dining cryptog- 
raphers protocol [Cha88] (see also Section [2]), to which we add the following simple yet powerful 
observation: if n participants each hold a private bit of an n-bit string with Hamming weight of 
parity p, then any single participant can randomize p by locally flipping his bit with a certain 
probability. It is impossible, however, for any participant to locally derandomize p. In the case 
of the anonymous message transmission, we also build on the dining cryptographers protocol by 
noting that a message that is sent can be ciphered with a one-time pad by having one participant 
(the receiver) broadcast a random bit. Any modification of the message can then be detected by 
the receiver with an algebraic manipulation detection code [CFP07] . 

1.1.1 Vote 

Our vote protocol (Section H]) allows n participants to conduct an m-candidate election. The privacy 
is perfect but the protocol has the drawback that if it aborts (any corrupt participant can cause an 
abort), the participants can still learn information that would have been available had the protocol 
succeeded. For this protocol, we require a simultaneous broadcast channel. It would be particularly 
well-suited for a small group of voters that are unwilling to trust any third party and who have no 
advantage in making the protocol abort. 

Previous work on information-theoretically secure voting protocols include [CFSY96J, where a 
protocol is given in the context where many election authorities are present. To the best of our 
knowledge, our approach is fundamentally different from any other approaches for voting. It is the 
first to provide information-theoretic security without requiring or trusting any third party, while 
also providing ballot casting assurance (each participant is convinced that their input is correctly 
recorded [AN06] ) and universal verifiability (each participant is conviced that only registered voters 
cast ballots and that the tally is correctly computed [SK95]). 

1.1.2 Anonymity 

Anonymity is the power to perform a task without having to identify the participants that are 
involved. In the case of anonymous message transmission, it is simply the capacity of the sender 
to transmit a private message to a specific receiver of his choosing without revealing either his 
identity or the identity of the receiver. A number of protocols have been suggested for anonymous 
transmission. Many of these rely on trusted or semi-trusted third parties as well as computational 
assumptions (for instance, the MIX-net [Cha 81]). Here, we do not make any such assumptions. 
The most notable protocol for anonymous transmission in our context is the dining cryptogra- 
pher's protocol [Cha88j . which allows a single sender to anonymously broadcast a bit, and provides 
information-theoretical security against a passive adversary. We present the protocol in a version 
that implements the multiparty computation of the parity function in Section [2l 

The case of multiple yet honest senders in the dining cryptographer's protocol can be solved 
by time slot reservation techniques, as originally noted by Chaum [Cha88| . But nevertheless, any 
corrupt participant can jam the channel. Techniques offering computational security to this problem 
have been proposed [Cha88l IWP8 9b] . Also, computational assumptions allow the removal of the 
reliance on a broadcast channel [WP89a] . 
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In our implementation of anonymous bit transmission (Section [5]), we elegantly deal with the 
case of multiple senders by allowing an unlimited amount of participants to act as anonymous 
senders. Each anonymous sender can target any number of participants and send them each a 
private bit of his choice. Thus, the outcome of the protocol is, for each participant, a private list 
indicating how many Os and how many Is were received. The anonymity of the sender and receiver 
and the privacy of all transmitted bits is always perfectly achieved, but any participant can cause 
the protocol to abort, in which case the participants may still learn some information about their 
own private lists. 

We need a way for all participants to find out if the protocol has succeeded. This is done with 
the veto protocol (Section [3]), which takes as input a single bit from each participant; the output of 
the protocol is the logical OR of the inputs. Our implementation differs from the ideal functionality 
since a participant that inputs 1 will learn if some other participant also input 1. We make use of 
this deviation from the ideal functionality in further protocols. 

In our fixed role anonymous message transmission protocol (Section [8]), we present a method 
which allows a single sender to communicate a message of arbitrary length to a single receiver. To 
the best of our knowledge, this is the first protocol ever to provide perfect anonymity, message 
privacy and integrity. For a fixed security parameter, the anonymous message transmission is 
asymptotically optimal. 

Our final protocol for anonymous message transmission (Section [9]) allows a sender to send 
a message of arbitrary length to a receiver of his choosing. While any participant can cause the 
protocol to abort, the anonymity of the sender and receiver is always perfectly achieved. The 
privacy of the message is preserved except with exponentially small probability. As far as we are 
aware, all previous proposed protocols for this task require either computational assumptions or 
a majority of honest participants. The protocol deals with the case of multiple senders by first 
executing the collision detection protocol (Section [6]), in which each participant inputs a single bit. 
The outcome only indicates if the sum of the inputs is 0, 1 or more. Compared to similar protocols 
called time slot reservation [Cha88, WP89b], our protocol does not leak any additional information 
about the number of would-be senders. The final protocol also makes use of the notification protocol 
(Section [7]) in which each participant chooses a list of other participants that are to be notified. 
The output privately reveals to each participant the logical OR of his received notifications. A 
special case of this protocol is when a single participant notifies another single participant; this is 
the version used in our final protocol to enable the sender to anonymously tell to the receiver to 
act accordingly. 

1.2 Common features to all protocols 

All protocols presented in the following sections share some common features, which we now de- 
scribe. Our protocols are given in terms of multiparty computation with inputs and outputs and 
involve n participants, indexed by % = 1, . . . , n. In the ideal functionality, the only information that 
the participants learn is their output (and what can be deduced from it). Correctness refers to 
the fact that the outputs are correctly computed, while privacy ensures that the inputs are never 
revealed. 

The protocols ensure correctness and privacy even in the presence of an unlimited number of 
misbehaving participants. Two types of such behaviour are relevant: participants who collude 
(they follow the protocol but pool their information in order to violate the protocol's privacy), and 
participants who actively deviate from the protocol (in order to violate the protocol's correctness 
or privacy). Without loss of generality, these misbehaviours are modelled by assuming a central 
adversary that controls some participants, rendering them corrupt. The adversary is either passive 
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(it learns all the information held by the corrupt participants), or active (it takes full control of 
the corrupt participants). We will deal only with the most general case of active adversaries, and 
require them to be static (the set of corrupt participants does not change). A participant that is 
not corrupt is called honest. Our protocols are such that if they do not abort, there exists inputs 
for the corrupt participants that would lead to the same output if they were to act honestly. If a 
protocol aborts, the participants do not learn any more information than they could have learned 
in an honest execution of the protocol. The input and output description applies only to honest 
participants. 

We assume that each pair of participants shares a private, uniformly random string that can 
be used to implement an authentic private channel. The participants have access to a broadcast 
channel and in some cases, it is simultaneous. A broadcast channel is an authentic broadcast channel 
for which the sender is confident that all participants receive the same value and the receivers know 
the identity of the sender. A simultaneous broadcast channel is a collection of broadcast channels 
where the input of one participant cannot depend on the input of any other participant. This 
could be achieved if all participants simultaneously performed a broadcast. In order to distinguish 
between the two types of broadcast, we sometimes call the broadcast channel a regular broadcast. 
It is not uncommon in multiparty computation to allow additional resources, even if these resources 
cannot be implemented with the threshold on the honest participants (the results of [RB89| which 
combine a broadcast channel with n/2 honest participants being the most obvious example). Our 
work suggests that a simultaneous broadcast channel is an interesting primitive to study in this 
context. 

In all protocols, the security parameter is s. Unfortunately, in many of our protocols, a single 
corrupt participant can cause the protocol to abort. All protocols run in polynomial time with 
respect to the number of participants, the security parameter and the input length. Although some 
of the protocols presented in this paper are efficient, our main focus here is in the existence of 
protocols for the described tasks. We leave for future work improvement of their efficiency. Finally, 
due to lack of space, we present only sketches of security proofs. 

2 Parity 

Protocol [1] implements the parity function and is essentially the same as the dining cryptographers 
protocol [Cha88| . with the addition of a simultaneous broadcast channel. Note that if we used a 
broadcast channel instead, then the last participant to speak would have the unfair advantage of 
being able to adapt his input in order to fix the outcome of the protocol! 

Correctness and privacy follows from [Cha88] . Thus, any adversary can learn only what can 
be deduced from the corrupt participant's inputs and the outcome of the protocol. Note that this 
means that the adversary can deduce the parity of the inputs of the other participants. We will 
later use the two simple observations that there is no way to cheat except by refusing to broadcast 
and that any value that is broadcast is consistent with a choice of valid inputs. In the following 
protocols, we will adapt step H] of the parity protocol to make it relevant to the scenario, this will 
allow us to remove the assumption of the simultaneous broadcast. We will also use the fact that if a 
single participant either does not broadcast, or broadcasts a random bit in step H] then the value of 
the output of parity is known to this participant, but is perfectly hidden to all other participants. 
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Protocol 1 Parity 

Input: Xi € {0, 1} 

Output: yi = x\ © X2 © • • • © x n 

Broadcast type : simultaneous broadcast 

Achieved functionality: 

1) (Correctness) If the protocol does not abort, the output is the same as in the ideal functionality. 

2) (Privacy) No adversary can learn more than the output of the ideal functionality. 
Each participant i does the following: 

1. Select uniformly at random an n-bit string = rjrf . . . rf with Hamming weight of parity Xi. 

2. Send r\ to participant j using the private channel; keep bit r\ to yourself. 

3. Compute Zi, the parity of the sum of all the bits received, including r\. 

4. Use the simultaneous broadcast channel to announce Z{. 

5. After the simultaneous broadcast is finished, compute y» = ©j? =1 z^. This is the outcome of 
the protocol. If the simultaneous broadcast fails, abort the protocol. 

3 Veto 

In this section, we build on the parity protocol to give a protocol for the secure implementation 
of the veto function, which computes the logical OR of the participant's inputs (Protocol [2|) . We 
also discuss some important deviations from the ideal functionality. 

Protocol 2 Veto 

Input: Xi € {0, 1} 
Output: yi = x\ V X2 V • • • V x n 
Broadcast type : regular broadcast 
Achieved functionality: 

1) (Reliability) No participant can make the protocol abort. 

2) (Correctness) The outcome of the protocol equals the outcome of the ideal functionality. 

3) (Privacy) Any adversary learns what it would have learned in the ideal functionally, had the 
corrupt participants used as input, but nothing more. 

The n participants agree on n orderings such that each ordering has a different last participant, 
result <— 
For each ordering, 
Repeat s times: 

1. Each participant i sets the value of pi in the following way: if x% = then pi = 0; otherwise, 
Pi = 1 with probability \ and Pi = with complimentary probability. 

2. The participants execute the parity protocol with inputs pi,P2, ■ ■ -Pn> with the exception 
that the simultaneous broadcast is replaced by a regular broadcast with the participants 
broadcasting according to the current ordering (if any participant refuses to broadcast, set 
the value result <— 1). If the outcome of parity is 1, then set result <— 1 . 

Output the value result. 



Lemma 3.1. (Reliability) No participant can make the veto protocol abort. 

Proof. If a participant refuses to broadcast, it is assumed that the output of the protocol is 1. □ 

Lemma 3.2. (Correctness) If all participants in the veto protocol have input Xi = ; then the 
protocol achieves the ideal functionality with probability 1. If there exists a participant with input 
Xi = 1 then the protocol is correct with probability at least 1 — 2~ s . 
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Proof. The correctness follows by the properties of the parity protocol, with the difference that 
we now have a broadcast channel instead of a simultaneous broadcast channel. The case where 
all inputs are is trivial. Let x% = 1 and suppose that the protocol is executed until the ordering 
in which participant % speaks last. Then with probability at least 1 — 2~ s , in step [2] of veto, the 
output of the protocol will be set to 1. □ 

Lemma 3.3. (Privacy) In the veto protocol, the most an adversary can learn is the information 
that it could have learned by assigning to all corrupt participants the input 0. Additionally, this 
information is revealed, even to a passive adversary, with probability at least 1 — 2~ s . 

Proof. This follows from the properties of the parity protocol: for a given repetition, the adversary 
learns the parity of the honest participants' p^s, but nothing else. Because of the way that the 
Pi's are chosen in step [H if for any repetition, this parity is odd, the adversary concludes that at 
least one honest participant has input 1, and otherwise if all repetitions yield 0, then the adversary 
concludes that with probability at least 1 — 2~ s , all the honest participant's inputs are 0. In all 
cases, this is the only information that is revealed; clearly, it is revealed to any passive adversary, 
except with exponentially small probability. □ 



4 Vote 



The participants now wish to conduct an m-candidate vote. The idea of Protocol [3] is simple. In 
the veto protocol, each participant with input 1 completely randomizes his input into the parity 
protocol, thus randomizing the output of parity. By flipping the output of parity with probability 
only 1/n, the probability of the outcome being odd becomes a function of the number of such flips. 
Using repetition, this probability can be approximated to obtain the exact number of flips with 
exponentially small error probability. This can be used to compute the number of votes for each 
candidate. Unfortunately, a corrupt participant can randomize his bit with probability higher 
than 1/n, enabling him to vote more than once. But since a participant cannot derandomize the 
parity, he cannot vote less than zero times. Verifying that the sum of the votes equals n ensures 
that all participants vote exactly once. Note that the protocol we present is polynomial in m and 
not in the length of m. 

Lemma 4.1. (Correctness) If the vote does not abort, then there exists an input for each corrupt 
participant such that the output of the honest participants equals the output of the ideal functionality, 
except with probability exponentially small in s. 

Proof. If all participants are honest, the correctness of the protocol is derived from the Chernoff 
bound as explained in the Appendix. Assume now t corrupt participants. Since the parity protocol 
is perfect, the only place participant i can deviate from the protocol is by choosing p$ with an 
inappropriate probability. We first note that if the t corrupt participants actually transmit the 
correct number of private bits in phase A and broadcast the correct number of bits in phase B, 
then whatever they actually send is consistent with some global probability of flipping. 

We use again the fact that it is possible to randomize the parity but not to derandomize it: if 
the corrupt participants altogether flip with a probability not consistent with an integer number of 
votes, either the statistics will be inconsistent, causing the protocol to abort, or we can interpret 
the results as being consistent with an integer amount of votes. If they flip with a probability 
consistent with an integer different than t, then each y[k]i will be assigned a value, but with 
probability exponentially close to 1, we will have Y^k=i 2/Wi n an d the protocol will abort. □ 



6 



Protocol 3 Vote 

Input: Xi € {1, . . . , m} 

Output: for k = 1 to m, y[k]i = \{xj \ Xj = k}\ 
Broadcast type : simultaneous broadcast 
Achieved functionality: 

1) (Correctness) If the protocol does not abort, then there exists an input x« for each corrupt 
participant such that the protocol achieves the ideal functionality. 

2) (Privacy) Even if the protocol aborts, no adversary can learn more that what it would have 
learned by setting in the ideal functionality x% = 1 for all corrupt participants. 

Phase A 

For each candidate k = 1 to m, 
For j = 1 to s, 

1. Each participant i sets the value of pi in the following way: if X{ ^ k, then pi = 0; otherwise, 
Pi = 1 with probability ^ and pi = with complimentary probability. 

2. The participants execute the parity protocol to compute the parity of Pi,P2, ■ ■ -Pn, but 
instead of broadcasting their output bit Zi, they store it as z[k]j. 

Phase B 

All participants simultaneously broadcast z[k}\ (j = 1,2,..., s). If the simultaneous broadcast is 
not successful, the protocol aborts. 
Phase C 

To compute the tally, y[k]i, for each value k = 1 . . . m, each participant sets: p[k]j = ©" =1 z[k]l, 
= Yl S j=iP[k]j 1 1 s an d if there exists an integer v such that \a[k]i — p v \ < , 

where p v = \ (^) v ((^)" - l), then y[k]i =v. 

If for any m, no such value v exists, or if J2T=i vW\i 7^ n i the protocol aborts. 
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Lemma 4.2. (Privacy) In the vote protocol, no adversary can learn more than what it would have 
learned by assigning to all corrupt participants the input 1 in the ideal functionality, and this even 
if the protocol aborts. 

Proof. Assume that the first t participants are corrupt. No information is sent phase A or 
phase C. We thus have to concentrate on phase B where the participants broadcast their in- 
formation regarding each parity. For each execution of parity, the adversary learns the parity 
of the honest participant's values, pt+i © pt+2 © • • • © p n , but no information on these individual 
values is revealed. The adversary can thus only evaluate the probability with which the other 
participants have flipped the parity. But this information could be deduced from the output of the 
ideal functionality, for instance by fixing the corrupt participants' inputs to 1. □ 

It is important to note that the above results do not exclude the possibility of an adversary 
causing the protocol to abort while still learning some information as stipulated in Lemma [4.2i This 
information could be used to adapt the behaviour of the adversary in a future execution of vote. 

In addition to the above theorems, it follows from the use of the simultaneous broadcast channel 
that an adversary cannot act in a way that a corrupt participant's vote depends an honest par- 
ticipant's vote. In particular, it cannot duplicate an honest participant's vote. We claim that our 
protocol provides ballot casting assurance and universal verifiability. This is straightforward from 
the fact that participants do not entrust any computation to a third party: they provide their own 
inputs and can verify that the final outcome is computed correctly. 

5 Anonymous Bit Transmission 

The anonymous bit transmission protocol enables a sender to privately and anonymously trans- 
mit one bit to a receiver of his choice. ProtocolH]actually deals with the usually problematic scenario 
of multiple anonymous senders in an original way: it allows an arbitrary number participants to 
act as anonymous senders, each one targeting any number of participants and sending them each a 
chosen private bit. Each participant is also simultaneously a potential receiver: at the end of the 
protocol, each participant has a private account of how many anonymous senders sent the bit 
and how many sent the bit 1. Note that in our formalism for multiparty computation, the privacy 
of the inputs implies the anonymity of the senders and receivers. 

The security of the anonymous bit transmission protocol follows directly from the security 
of the vote and of the veto. Of course, the anonymous bit transmission also inherits the 
drawbacks of these protocols. More precisely we have the following: 

Lemma 5.1. (Correctness) The anonymous bit transmission protocol computes the correct 
output, except with exponentially small probability. 

Proof. If the protocol does not abort, by Lemmas 13.21 and 14.11 except with exponentially small 
probability, all bits are correctly transmitted. □ 

Lemma 5.2. (Privacy) In the anonymous bit transmission protocol, the privacy is the same 
as in the ideal functionality. 

Proof. Each execution of the vote protocol provides perfect privacy, even if the protocol aborts. 
The final veto reveals some partial information about which honest participants have been targeted 
by corrupt participants, but this does not compromise the privacy of the protocol. □ 
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Protocol 4 Anonymous Bit Transmission 



Input: x>. G {0,1, ±}, (j = l,2,...,n) 
Output: yi = (\{x) | x) = 0}|, \{x) | xj = 1}|) 
Broadcast type : regular broadcast 

1) (Correctness) If the protocol does not abort then the output of the protocol equals the output 
of the ideal functionality. 

2) (Privacy) The privacy is the same as in the ideal functionality. 
For each participant j, 

1. Execute the vote protocol with m = 3 as modified below. The three choices are: 0, 1, or 
_L {abstain). Each participant i chooses his input to the vote according to x\, his choice of 
message to be sent anonymously to participant j. The vote protocol is modified such that: 

(a) The output strings are sent to participant j through the private channel. 

(b) Participant j computes the tally as in the vote and if this computation succeeds, he 
finds out how many participants sent him a 0, how many sent him a 1 and how many 
abstained. If this occurs (and the results are consistent) he sets his success bit, Sj to 0. 
If the vote aborts, he sets Sj to 1. 

Execute the veto protocol, using as inputs the success bits Sj. If the output of veto is 0, then the 
anonymous bit transmission succeeds. Otherwise, the protocol fails. 

In Protocol HJ the use of the private channel in step (a) can be removed and replaced by a 
broadcast channel. Since participant j does not broadcast, the messages remain private. Another 
modification of the protocol makes it possible to send m possible messages instead of just two but 
note that the complexity is polynomial in m and not in the length of m. The transmission of 
arbitrarily long strings is discussed in Sections [8] and [9j 



6 Collision Detection 

The collision detection protocol (Protocol [5]) enables the participants to verify whether or not 
there is a single sender in the group. This will be used as a procedure for the implementation of 
anonymous message transmission in Section [9l Ideally, a protocol to detect a collision would have 
as input only Xi £ {0, 1} but unfortunately we do not know how to achieve such a functionality. 

Lemma 6.1. (Reliability) No participant can make the collision detection protocol abort. 

Proof. This follows from the reliability of veto. □ 

Lemma 6.2. (Correctness) In the collision detection protocol, the output equals the output of 
the ideal functionality (except with exponentially small probability). 

Proof. This follows from the correctness of the veto protocol. There are only two ways a corrupt 
participant can deviate from the protocol. First, participant i can set b% = although xi E {0, 1} 
and although in the first veto his input was 1 and a collision was detected. The outcome of veto B 
will still be 1 since another participant with input 1 in veto A will input 1 in veto B. This is 
consistent with input Xi = 1. Second, participant i can set bi = 1 although Xi = 0. If veto B is 
executed, then we know that another participant has input 1 in veto A. This is consistent with 
input xi = 1. □ 

Note that we have raised a subtle deviation from the ideal protocol in the above proof: we 
showed how it is possible for a corrupt participant to set his input to if all other participants have 
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Protocol 5 Collision Detection 



Input: Xi € {0, 1, 2} 

Output: let r = Yli=l Xi t^ en Hi = min{r, 2} 
Broadcast type : regular broadcast 

1) (Reliability) No participant can make the protocol abort. 

2) (Correctness) The output of the protocol equals the output of the ideal functionality. 

3) (Privacy) An adversary cannot learn more than it could have learned by assigning to all corrupt 
participants the input in the ideal functionality. 

Veto A 

All participants perform the veto protocol with inputs min{xj, 1}. 
Veto B 

If the outcome of veto A is 0, skip this step. Otherwise, each participant with input 1 in veto A 
will set bi = 1 if he detected in veto A that another participant had input 1, or if Xj = 2. All 
other participants set bi = 0. Then all participants perform a second veto protocol with inputs 6j. 

if the outcome of veto A is 
Output: yi = < 1 if the outcome of veto A is 1 and the outcome of veto B is 
_ 2 if the outcome of veto A is 1 and the outcome of veto B is 1 

input and to 1 otherwise. Fortunately, the protocol is still sufficiently good for the requirements 
of the following sections. 

Lemma 6.3. (Privacy) In the collision detection protocol, an adversary cannot learn more than 
it could have learned by assigning to all corrupt participants the input in the ideal functionality. 

Proof. In each veto, an adversary can only learn whether or not there exists an honest participant 
with input 1. In all cases, this can be deduced from the outcome of the ideal functionality by 
setting the input to be for all corrupt participants. □ 



7 Notification 

In the notification protocol (Protocol [6]) , each participant chooses a list of other participants to 
notify. The output privately reveals to each participant whether or not he was notified, but no 
information on the number or origin of such notifications is revealed. 

Lemma 7.1. The notification protocol achieves privacy and except with exponentially small prob- 
ability, the correct output is computed. 

Proof. Privacy and correctness are trivially deduced from properties of the parity protocol. □ 



8 Fixed Role Anonymous Message Transmission 

In Section [5l we presented an anonymous bit transmission protocol. The protocol easily gener- 
alizes to m messages, but the complexity of the protocol becomes polynomial in m. It is not clear 
how to modify the protocol to transmit a string of arbitrary length, while still allowing multiple 
senders and receivers. However, in the context where a single sender S is allowed, it is possible 
to implement a secure protocol for S to anonymously transmit a message to a single receiver R, 
which we call fixed role anonymous message transmission (Protocol [7|) . If the uniqueness 
condition on S and R is not satisfied, the protocol aborts. The protocol combines the use of the 
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Protocol 6 Notification 

Input: Vj 7^ i,xf £ {0, 1} 

Output: y { = x l j 

Broadcast type : regular broadcast 

1) (Correctness) If the protocol does not abort then the output of the protocol equals the output 
of the ideal functionality. 

2) (Privacy) The privacy is the same as in the ideal functionality. 

For each participant i: 

Participant % sets y» <— 0. 
Repeat s times: 

1. Each participant j ^ i sets the value of pj in the following way: if x*- = then pj = 0; 
otherwise, pj = 1 with probability ^ and Pi = with complimentary probability. Let pi = 0. 

2. The participants execute the parity protocol with inputs Px,p%, ■ ■ -p n , with the exception 
that participant i does not broadcast his value, and the simultaneous broadcast is replaced 
by a regular broadcast (if any participant refuses to broadcast, abort). 

3. Participant i computes the outcome of parity, and if it is 1, yi <— 1 . 

parity protocol with an algebraic manipulation detection code |CFP07| . which we present as The- 
orem EU Due to lack of space, the encoding and decoding algorithms, F and G, respectfully, are 
not repeated. For a less efficient algorithm that achieves a similar result, see [PSJ99]. 

Theorem 8.1 QCFP07J). There exists an efficient probabilistic encoding algorithm F : {0, l} m — » 
{0, l}™+2(log(m)+s and ^coding algorithm G : {0, l}™+2(l°g(m)+s) _^ {_L,{0,l} m } such that for 
all w, G(F(w)) = w, and any combination of bit flips applied to w' = F(w) produces a w" such 
that G(w") =_L, except with probability 2~ s . 

Lemma 8.2. (Correctness, Privacy, Oracle) In the fixed role anonymous message transmis- 
sion protocol, the probability that R obtains as output a corrupt message is exponentially small. 
The protocol is perfectly private, and if the oracle conditions are not satisfied, it will abort ( except 
with exponentially small probability). 

Proof. Because of the properties of parity and the fact that the receiver broadcasts a random bit, 
we have perfect privacy. Correctness is a direct consequence of Theorem 18.11 Finally, if more than 
one participant acts as a sender or receiver, then again because of Theorem 18. 1| the message will 
not be faithfully transmitted and the protocol will abort in step 02 except with exponentially small 
probability. □ 

Theorem 8.3. For a fixed security parameter, the fixed role anonymous message transmis- 
sion protocol is asymptotically optimal. 

Proof. For any protocol to preserve the anonymity of the sender and the receiver, each player 
must sent at least one bit to every other player for each bit of the message. In the fixed role 
anonymous message transmission protocol, for a fixed s, each player actually sends O(l) bits 
to each other player and therefore the protocol is asymptotically optimal. □ 

9 Anonymous Message Transmission 

Our final protocol allows a sender to anonymously transmit message to a receiver of his choosing. 
Contrary to the fixed role anonymous message transmission protocol of Section [8l anony- 
mous message transmission (Protocol [8]) does not suppose that there is a single sender, but 
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Protocol 7 Fixed Role Anonymous Message Transmission 
Oracle: The sender S and receiver R know their identity 
Input: S has input w G {0, l} m , all other players have no input 
Output: R has output w, all other players have no output 
Broadcast type : regular broadcast 

1) (Correctness) If the protocol does not abort, R obtains the correct message. 

2) (Privacy) The only information that can be learned through the protocol is for R to learn w. 

3) (Oracle) If the oracle conditions are not satisfied (in the sense that more than one honest 
participant believes to be the sender or the receiver), the protocol will abort. 

1. S computes w' = F(w) 

2. The participants execute m + 2(log(m) + s) rounds of the parity protocol, with participants 
using a broadcast instead of a simultaneous broadcast and using the following inputs: 

(a) S uses as input the bits of w' . 

(b) R uses as input the bits of a random m-bit string, r. 

(c) All other players use as input for each round. 

3. Let d be the output of the rounds of parity. R computes w" = d® r. 

4. R computes y = G(w"). 

5. A veto is performed: all players input except R who inputs 1 if y =_L and otherwise. 
If the outcome of veto is 1, the protocol aborts. Otherwise, R sets his output to y. 



instead, it deals with potential collisions (or lack of any sender at all) by producing the outputs 
Collision or No Transmission. The only deviation from the ideal functionality in the protocol 
is that a single participant can force the Collision output. Note again that in this protocol, the 
privacy of the input implies anonymity of the sender and receiver. 

Lemma 9.1. (Correctness) In the anonymous message transmission protocol, the output 
equals the output of the ideal functionality except with exponentially small probability. The only 
exception is that a single participant can make the protocol produce the output Collision. 

Proof. This follows easily from the correctness of the collision detection, notification and fixed 
role anonymous message transmission protocols. □ 

Lemma 9.2. (Privacy) The anonymity of the sender and receiver are perfect. If the protocol suc- 
ceeds, except with exponentially small probability, participant r is the only participant who knows w. 

Proof. Perfect anonymity follows from the privacy of the collision detection, notification and 
anonymous message transmission protocols. If the sender successfully notifies the receiver in 
step [2j then the privacy of w is perfect. But with exponentially small probability, the receiver 
will not be correctly notified, and an adversary acting as the receiver will successfully receive the 
message w. □ 

10 Conclusion 

We have given six multiparty protocols that are information-theoretically secure without any as- 
sumption on the number of honest participants. It would be interesting to see if the techniques we 
used can be applied to other multiparty functions or in other contexts. 

Our main goal was to prove the existence of several protocols in a model that does not make 
use of any strong hypotheses such as computational assumptions or an honest majority. This 
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Protocol 8 Anonymous Message Transmission 

Input: Xi =_L or x\ = (r, w) where r € {1, . . . , n} and to € {0, l} m 

Output: If \{xi | x, /_L}| = then j/j = No Transmission and if |{xj | Xj ^_L}| > 1 then 
Hi = Collision. Otherwise let S be such that xs = (r, w) then all j/j =_L except y r = w. 
Broadcast type : regular broadcast 

1) (Correctness) The output equals the output of the ideal functionality except that a single par- 
ticipant can make the protocol produce the output Collision. 

2) (Privacy) The privacy is the same as in the ideal functionality. 

1. The participants execute the collision detection protocol; participants who have in- 
put Xi =_L use input while all others use input 1. If the outcome of collision detection 
is 1, continue, otherwise output No Transmission if the output is and Collision if the 
output is 2. 

2. Let the sender S be the unique participant with xs The participants execute the 
notification protocol, with S using input x r s = 1 and x J s = otherwise. All other participants 
use the input bits 0. Let R be the participant who computes as output yn = 1. If the 
notification protocol fails, abort. 

3. The participants execute the fixed role anonymous message transmission protocol. 



being said, all the presented protocols are reasonably efficient: they are all polynomial in terms of 
communication and computational complexity and in one case, asymptotically optimal. 
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A Proof of correctness for Protocol [3] 

Lemma A.l. (Correctness) If all participants are honest in the vote (Protocol^), then the output 
is correct, except with probability exponentially small in s. 

Proof. We fix a value k and suppose that v participants have input X{ = k. Thus we need to show 
that in the vote, y[k]i = v, except with probability exponentially small in s. 

We now give the intuition behind phase C of the vote. Let p v be the probability that p[k]j = 
0™ =1 z[k]\ = 1. For v < n, we have p = 0, pi = ± and p v+ i = p v (l - ±) + (l-p v )±. Solving this 
recurrence, we get 

Thus, the idea of phase C of the vote is for the participants to approximate p v by computing 
a [k]i = Yli=iP[k\j I s - If t ne approximation is within of p v , then the outcome is y[k]i = v. We 
first show that if such a v exists, it is unique. 

Clearly, for v < n, we have that p v +i > p v . We also have lim^^ooPn = \ — j-y. Thus the 
difference between p v +\ and p v is: 

p v+ x -p v =p v ( 1 - - ] + (1 -p)- -p v (2) 
V n I n 



1 - 2p 



V 



n 



(3) 



(4) 

n 

> 4~ (5) 

Hence if such a v exists, it is unique. We now show that except with probability exponentially 
small in s, the correct v will be chosen. Let X = Ylj=iP[k]j be the sum of the s executions of 
parity, with \i = sp v the expected value of X. The participants have computed cr[k]i = X/s . 

By the Chernoff bound, for any < S < 1, 

Pi[X < (1 - 5)fi] < exp(-/i5 2 / 2 ) (6) 

Let 6 = 7tt — • We have 
and so 

— 1 s 
Pr[a[k]i - Pv < —5-] < exp(- ) (8) 

Similarly, still by the Chernoff bound, for any 5 < 2e — 1, 

Pr[X > (1 + 5)fi] < exp(-^ 2 /4) (9) 

Let S = ttt — and we get 
and so 

Pr H%-P.>^]<exp( I g i =^ ; ) (ID 

Hence the protocol produces the correct value for y[k]i, except with probability exponentially 
small in s. □ 
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